Post

FactsDroid - Your Universal Knowledgebase

At very first, install the app on a android device. On opening it ,we get security warning due to the root device and Random Fact button is also disabled.

Opening app on a rooted device

Opening app on a rooted device

open the application in jadx and go to Resources > lib >arm64-v8a . There is two files libapp.so and libflutter.so , which confirms that app is made in flutter framework.

Opening FactsDroid.apk

Opening FactsDroid.apk

Then, we disassemble the app with blutter .

1
python blutter.py ~/FactsDroid.apk/FactsDroid/lib/arm64-v8a/ ~/FactsDroid.apk/FactsDroid/lib/arm64-v8a/output

Content generated by blutter on output directory

Content generated by blutter on output directory

On looking for root keyword inside pp.txt , there is clear hint that _checkRootStatus is being called in facts_droid/main.dart

image.png

On analysing _ initState , it is calling the _checkRootStatus() .

image.png

Just after _initState there is __checkRootStatus

image.png

On analysing the _checkRootStatus method, it has stated that its using channel and passing the method isDeviceRooted and invoked it.

image.png

So, open the application on jadx-gui and search for isDeviceRooted method.

image.png

image.png

Here its initializing, boolean z3 = true; means its assuming that device is rooted and, if each root checking test cases is passed its updating the z3 to false and returning the z3 value.

this function is returning value of z3 and its updated to false only after passing all the test cases.

this function is returning value of z3 and its updated to false only after passing all the test cases.

Then we started to patch this function to return false but the function is returning void. So, we can’t simply set make implementation to set return value false.

1
2
3
4
5
6
7
8
9
10
Java.perform(function() {
    var HandlerClass = Java.use("B.a");
    HandlerClass.g.implementation = function(methodCallObj, resultObj) {
        console.log("[*] Bypassing root check...");
        var Boolean = Java.use("java.lang.Boolean");
        var falseObj = Boolean.valueOf(false);
        resultObj.c(falseObj);
        return; 
    };
});

Start the app by spawning with above frida script.

image.png

Still we do get this error.

image.png

Since, goal is to intercept traffic, we pasted frida script by updating IP and proxy port in frida repl by copying from https://github.com/hackcatml/frida-flutterproxy/blob/main/script.js for patching libapp.so and redirecting traffic to our burpsuite.

image.png

Now on again clicking on Random Fact , we are able to intercept the traffic in burpsuite.

Intercepting traffic in burpsuite.

Intercepting traffic in burpsuite.

Facts are loaded on app successfully.

Facts are loaded on app successfully.

This way, we achieved the goal of our challenge FactsDroid .

This post is licensed under CC BY 4.0 by the author.